Monday, June 11, 2007

Dual armed server to server load balancing con Cisco ACE

Let's say you have a large data center, let's say that in this data center you have lots of dual-armed load balanced serverfarms. It could happen that these servers need to call each other's balanced services. Here's how this could be accomplished with very light configuration on real servers.

Scenario :

The BLUE-SERVERFARM real servers needs to query a web service located on the YELLOW-SERVERFARM, on tcp port 2000.All of the real servers use the "upper" interface (vlan 101) to act as servers, i.e. to answer clients' queries coming from the ACE.The "internal" interface (vlan 102) is used by the servers when they act as client of someone else's service.Easy to configure this, matter of routes on the servers. The default gateway is always the ACE, there's a static route on the internal interface for all the ips the server could query acting as a client.

Without configuring Source NAT con the ACE, all connections fail, because of asymmetric response from servers of the YELLOW-SERVERFARM.When a connection arrives from the ACE, the source ip is the internal interface of the client server. As this ip is on a lan directly connected on the destination server, the response will return over the INTERNAL, not over the same route of the request.

Solution:Source natting this requests on the ACE will cause the destination server not to know as directly connected the source ip, answering on the default gateway (ACE) and so following the same path of the request.The simplest way I've found is to reserve a new virtual address only for requests coming from the servers on the same lan, as described above. So clients will continue query the service on the VIP 10.20.0.2 port 2000, while servers on the same lan will query the same service on the same port but on VIP 10.20.0.20, being Source-NATted with an IP from the SNATPOOL.

The real server of the YELLOW-SERVERFARM responding to the request, seeing it from a SNATted address will route the response via the default gateway (ACE) which will send back packets on the same path of the request.